@ttoss/http-server-mcp 0.16.1 → 0.16.2

package/README.md

@@ -342,7 +342,7 @@ Both fields are optional. Omitting `resourceMetadataUrl` keeps the bare `Bearer`
 
 ## Issuing tokens for MCP clients
 
-The `auth` option above covers the **resource-server** half of MCP authorization — it verifies tokens issued by an external authorization server (Cognito, Auth0, …). To make your own first-party server _issue_ the tokens an MCP client runs the full OAuth flow against, add the [`@ttoss/http-server-oauth`](https://ttoss.dev/docs/modules/packages/http-server-oauth) plugin's `oauthServer()` and pair it with `createMcpRouter({ auth: { verifyToken } })` so one deployment both issues and verifies tokens. See the [OAuth Authorization Server](https://ttoss.dev/docs/engineering/guidelines/oauth-authorization-server) guideline.
+The `auth` option above covers the **resource-server** half of MCP authorization — it verifies tokens issued by an external authorization server (Cognito, Auth0, …). To make your own first-party server _issue_ the tokens an MCP client runs the full OAuth flow against, add the [`@ttoss/http-server-auth`](https://ttoss.dev/docs/modules/packages/http-server-auth) plugin's `oauthServer()` and pair it with `createMcpRouter({ auth: { verifyToken } })` so one deployment both issues and verifies tokens. See the [OAuth Authorization Server](https://ttoss.dev/docs/engineering/guidelines/oauth-authorization-server) guideline.
 
 ## API Reference
 

package/dist/index.cjs

@@ -4,14 +4,29 @@ Object.defineProperty(exports, Symbol.toStringTag, {
 });
 let node_async_hooks = require("node:async_hooks");
 let _modelcontextprotocol_sdk_server_streamableHttp_js = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+let _ttoss_auth_core_amazon_cognito = require("@ttoss/auth-core/amazon-cognito");
 let _ttoss_http_server = require("@ttoss/http-server");
-let _ttoss_http_server_oauth = require("@ttoss/http-server-oauth");
+let _ttoss_http_server_auth = require("@ttoss/http-server-auth");
 let zod = require("zod");
 let _modelcontextprotocol_sdk_server_mcp_js = require("@modelcontextprotocol/sdk/server/mcp.js");
 
 //#region src/index.ts
 /** MCP lifecycle/discovery methods reachable before a client authenticates. */
 var DEFAULT_PUBLIC_METHODS = ["initialize", "tools/list"];
+/** Builds the token verifier from the MCP auth options. */
+var buildVerifyToken = auth => {
+  if (auth.cognitoUserPool) {
+    const verifier = _ttoss_auth_core_amazon_cognito.CognitoJwtVerifier.create({
+      tokenUse: "access",
+      ...auth.cognitoUserPool
+    });
+    return token => {
+      return verifier.verify(token);
+    };
+  }
+  if (auth.verifyToken) return auth.verifyToken;
+  throw new Error("McpAuthOptions requires either cognitoUserPool or verifyToken");
+};
 var requestContextStore = new node_async_hooks.AsyncLocalStorage();
 /**
 * Generic HTTP helper for use inside MCP tool handlers.
@@ -192,25 +207,36 @@ var createMcpRouter = (server, options = {}) => {
   };
   const router = new _ttoss_http_server.Router();
   if (auth) {
-    const {
-      resourceServerUrl,
-      authorizationServerUrl,
-      ...verifyOptions
-    } = auth;
-    router.use(path, (0, _ttoss_http_server_oauth.oauthVerify)({
-      ...verifyOptions,
-      publicMethods: verifyOptions.publicMethods ?? DEFAULT_PUBLIC_METHODS
-    }));
-    if (resourceServerUrl && authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
+    const verifyToken = buildVerifyToken(auth);
+    const publicMethods = new Set(auth.publicMethods ?? DEFAULT_PUBLIC_METHODS);
+    const verify = (0, _ttoss_http_server_auth.authMiddleware)({
+      strategies: ["oauth"],
+      oauth: {
+        verify: token => {
+          return verifyToken(token);
+        },
+        requiredScopes: auth.requiredScopes
+      },
+      resourceMetadataUrl: auth.resourceMetadataUrl
+    });
+    router.use(path, async (ctx, next) => {
+      const method = ctx.request.body?.method;
+      if (publicMethods.has(method ?? "")) {
+        await next();
+        return;
+      }
+      await verify(ctx, next);
+    });
+    if (auth.resourceServerUrl && auth.authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
       ctx.body = {
-        resource: resourceServerUrl,
-        authorization_servers: [authorizationServerUrl]
+        resource: auth.resourceServerUrl,
+        authorization_servers: [auth.authorizationServerUrl]
       };
     });
   }
   const handleWithContext = async (ctx, body) => {
     const apiHeaders = getApiHeaders ? getApiHeaders(ctx) : {};
-    const identity = ctx.state.identity;
+    const identity = ctx.state.user;
     const runRequest = async transport => {
       await transport.handleRequest(ctx.req, ctx.res, body);
       ctx.respond = false;

package/dist/index.d.cts

@@ -3,7 +3,6 @@
 import { McpServer, McpServer as McpServer$1 } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { Router } from "@ttoss/http-server";
-import { OAuthVerifyOptions } from "@ttoss/http-server-oauth";
 import accepts from "accepts";
 import { AsyncLocalStorage } from "async_hooks";
 import Cookies from "cookies";
@@ -668,12 +667,43 @@ declare namespace Application {
 //#endregion
 //#region src/index.d.ts
 type Context$1 = Application.Context;
+/** Amazon Cognito user pool configuration for JWT verification. */
+interface CognitoUserPoolConfig {
+  /** The Cognito User Pool ID (e.g. `us-east-1_abc123`). */
+  userPoolId: string;
+  /**
+   * Which token type to verify.
+   * @default 'access'
+   */
+  tokenUse?: 'access' | 'id';
+  /** The app client ID registered in the User Pool. */
+  clientId: string;
+}
 /**
- * Authentication options for the MCP endpoint. Extends the `@ttoss/http-server`
- * OAuth verification options with the optional protected-resource metadata
- * endpoint that MCP clients fetch for discovery.
+ * Authentication options for the MCP endpoint. Verification runs through
+ * `@ttoss/http-server-auth`'s `oauth` strategy; supply either a Cognito user
+ * pool or a custom `verifyToken`.
  */
-interface McpAuthOptions extends OAuthVerifyOptions {
+interface McpAuthOptions {
+  /** Amazon Cognito user pool config; a `CognitoJwtVerifier` is built from it. */
+  cognitoUserPool?: CognitoUserPoolConfig;
+  /**
+   * Custom token verifier for non-Cognito providers (Auth0, Keycloak, your own
+   * JWTs, opaque tokens). Resolve with the verified payload, or throw to reject.
+   */
+  verifyToken?: (token: string) => Promise<unknown>;
+  /** Scopes that must all be present on the token's `scope` claim, else `403`. */
+  requiredScopes?: string[];
+  /**
+   * JSON-RPC methods (read from `body.method`) that bypass verification.
+   * @default ['initialize', 'tools/list']
+   */
+  publicMethods?: string[];
+  /**
+   * When set, a `401` carries `WWW-Authenticate: Bearer resource_metadata="…"`
+   * (RFC 9728) so MCP clients can discover the authorization server.
+   */
+  resourceMetadataUrl?: string;
   /**
    * URL of this MCP server, surfaced in the OAuth Protected Resource Metadata
    * response. Both this and `authorizationServerUrl` must be set to serve
@@ -974,4 +1004,4 @@ interface RegisterToolFromSchemaParams {
  */
 declare const registerToolFromSchema: (server: McpServer$1, params: RegisterToolFromSchemaParams) => void;
 //#endregion
-export { ApiCallOptions, JsonObjectSchema, McpAuthOptions, McpRouterOptions, McpServer, RegisterToolFromSchemaParams, apiCall, checkScopes, createMcpRouter, getIdentity, registerToolFromSchema, z };
+export { ApiCallOptions, CognitoUserPoolConfig, JsonObjectSchema, McpAuthOptions, McpRouterOptions, McpServer, RegisterToolFromSchemaParams, apiCall, checkScopes, createMcpRouter, getIdentity, registerToolFromSchema, z };

package/dist/index.d.mts

@@ -1,7 +1,6 @@
 
 /// <reference types="node" />
 import { Router } from "@ttoss/http-server";
-import { OAuthVerifyOptions } from "@ttoss/http-server-oauth";
 import { z } from "zod";
 import { McpServer, McpServer as McpServer$1 } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
@@ -668,12 +667,43 @@ declare namespace Application {
 //#endregion
 //#region src/index.d.ts
 type Context$1 = Application.Context;
+/** Amazon Cognito user pool configuration for JWT verification. */
+interface CognitoUserPoolConfig {
+  /** The Cognito User Pool ID (e.g. `us-east-1_abc123`). */
+  userPoolId: string;
+  /**
+   * Which token type to verify.
+   * @default 'access'
+   */
+  tokenUse?: 'access' | 'id';
+  /** The app client ID registered in the User Pool. */
+  clientId: string;
+}
 /**
- * Authentication options for the MCP endpoint. Extends the `@ttoss/http-server`
- * OAuth verification options with the optional protected-resource metadata
- * endpoint that MCP clients fetch for discovery.
+ * Authentication options for the MCP endpoint. Verification runs through
+ * `@ttoss/http-server-auth`'s `oauth` strategy; supply either a Cognito user
+ * pool or a custom `verifyToken`.
  */
-interface McpAuthOptions extends OAuthVerifyOptions {
+interface McpAuthOptions {
+  /** Amazon Cognito user pool config; a `CognitoJwtVerifier` is built from it. */
+  cognitoUserPool?: CognitoUserPoolConfig;
+  /**
+   * Custom token verifier for non-Cognito providers (Auth0, Keycloak, your own
+   * JWTs, opaque tokens). Resolve with the verified payload, or throw to reject.
+   */
+  verifyToken?: (token: string) => Promise<unknown>;
+  /** Scopes that must all be present on the token's `scope` claim, else `403`. */
+  requiredScopes?: string[];
+  /**
+   * JSON-RPC methods (read from `body.method`) that bypass verification.
+   * @default ['initialize', 'tools/list']
+   */
+  publicMethods?: string[];
+  /**
+   * When set, a `401` carries `WWW-Authenticate: Bearer resource_metadata="…"`
+   * (RFC 9728) so MCP clients can discover the authorization server.
+   */
+  resourceMetadataUrl?: string;
   /**
    * URL of this MCP server, surfaced in the OAuth Protected Resource Metadata
    * response. Both this and `authorizationServerUrl` must be set to serve
@@ -974,4 +1004,4 @@ interface RegisterToolFromSchemaParams {
  */
 declare const registerToolFromSchema: (server: McpServer$1, params: RegisterToolFromSchemaParams) => void;
 //#endregion
-export { ApiCallOptions, JsonObjectSchema, McpAuthOptions, McpRouterOptions, McpServer, RegisterToolFromSchemaParams, apiCall, checkScopes, createMcpRouter, getIdentity, registerToolFromSchema, z };
+export { ApiCallOptions, CognitoUserPoolConfig, JsonObjectSchema, McpAuthOptions, McpRouterOptions, McpServer, RegisterToolFromSchemaParams, apiCall, checkScopes, createMcpRouter, getIdentity, registerToolFromSchema, z };

package/dist/index.mjs

@@ -1,14 +1,29 @@
 /** Powered by @ttoss/config. https://ttoss.dev/docs/modules/packages/config/ */
 import { AsyncLocalStorage } from "node:async_hooks";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { CognitoJwtVerifier } from "@ttoss/auth-core/amazon-cognito";
 import { Router } from "@ttoss/http-server";
-import { oauthVerify } from "@ttoss/http-server-oauth";
+import { authMiddleware } from "@ttoss/http-server-auth";
 import { z, z as z$1 } from "zod";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
 //#region src/index.ts
 /** MCP lifecycle/discovery methods reachable before a client authenticates. */
 var DEFAULT_PUBLIC_METHODS = ["initialize", "tools/list"];
+/** Builds the token verifier from the MCP auth options. */
+var buildVerifyToken = auth => {
+  if (auth.cognitoUserPool) {
+    const verifier = CognitoJwtVerifier.create({
+      tokenUse: "access",
+      ...auth.cognitoUserPool
+    });
+    return token => {
+      return verifier.verify(token);
+    };
+  }
+  if (auth.verifyToken) return auth.verifyToken;
+  throw new Error("McpAuthOptions requires either cognitoUserPool or verifyToken");
+};
 var requestContextStore = new AsyncLocalStorage();
 /**
 * Generic HTTP helper for use inside MCP tool handlers.
@@ -189,25 +204,36 @@ var createMcpRouter = (server, options = {}) => {
   };
   const router = new Router();
   if (auth) {
-    const {
-      resourceServerUrl,
-      authorizationServerUrl,
-      ...verifyOptions
-    } = auth;
-    router.use(path, oauthVerify({
-      ...verifyOptions,
-      publicMethods: verifyOptions.publicMethods ?? DEFAULT_PUBLIC_METHODS
-    }));
-    if (resourceServerUrl && authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
+    const verifyToken = buildVerifyToken(auth);
+    const publicMethods = new Set(auth.publicMethods ?? DEFAULT_PUBLIC_METHODS);
+    const verify = authMiddleware({
+      strategies: ["oauth"],
+      oauth: {
+        verify: token => {
+          return verifyToken(token);
+        },
+        requiredScopes: auth.requiredScopes
+      },
+      resourceMetadataUrl: auth.resourceMetadataUrl
+    });
+    router.use(path, async (ctx, next) => {
+      const method = ctx.request.body?.method;
+      if (publicMethods.has(method ?? "")) {
+        await next();
+        return;
+      }
+      await verify(ctx, next);
+    });
+    if (auth.resourceServerUrl && auth.authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
       ctx.body = {
-        resource: resourceServerUrl,
-        authorization_servers: [authorizationServerUrl]
+        resource: auth.resourceServerUrl,
+        authorization_servers: [auth.authorizationServerUrl]
       };
     });
   }
   const handleWithContext = async (ctx, body) => {
     const apiHeaders = getApiHeaders ? getApiHeaders(ctx) : {};
-    const identity = ctx.state.identity;
+    const identity = ctx.state.user;
     const runRequest = async transport => {
       await transport.handleRequest(ctx.req, ctx.res, body);
       ctx.respond = false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ttoss/http-server-mcp",
-  "version": "0.16.1",
+  "version": "0.16.2",
   "description": "Model Context Protocol (MCP) server integration for @ttoss/http-server",
   "keywords": [
     "ai",
@@ -35,8 +35,9 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "zod": "^4.4.3",
-    "@ttoss/http-server": "^0.7.0",
-    "@ttoss/http-server-oauth": "^0.1.1"
+    "@ttoss/auth-core": "^0.6.2",
+    "@ttoss/http-server": "^0.7.1",
+    "@ttoss/http-server-auth": "^0.3.2"
   },
   "devDependencies": {
     "@types/koa": "^3.0.3",